Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sonicwall Pro 4060 xAuth

Posted on 2012-03-16
6
Medium Priority
?
1,046 Views
Last Modified: 2012-08-17
Good Morning,

I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.



Please help.

Helmut K
0
Comment
Question by:HELMUTHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37731515
0
 

Author Comment

by:HELMUTHK
ID: 37743403
Thanks for the info, but this does not resolve my problem.

Here is more information on setup and config:

I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if  set it for "allow unauthenticated users", but does not accept user ID/Password when set to use  xauth on the Pro 4060.

Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret

Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800

Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5

Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800

Advanced Tab
Management via this sa = https

when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.

When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.

Client Tab
Allow connections to = This Gateway Only


Thanks,

Helmut K
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37748677
Hi Helmut,

Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.

Good luck!
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 

Author Comment

by:HELMUTHK
ID: 37748812
Log from 4060:

1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent        
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received        
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9        
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578  
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341  
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent        
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received        
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9        
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500    
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device      
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent        
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received        
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9        
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin  
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out  
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent        
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received        
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9        
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent        
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received        
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9        
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent        
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received        
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9        


Log from laptop:

Shows "user authentication has failed"


It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.

Regards,

helmut K.
0
 

Author Comment

by:HELMUTHK
ID: 37749472
Hello All,

I resolved the problem. The user ID is case sensitivr as well as the password.

Problem Fixed.

Thanks to those who tried to help.

Helmut K.
0
 
LVL 3

Accepted Solution

by:
Konsultant earned 1500 total points
ID: 37749629
Yes it is... It never crossed my mind that you would use different capitalization.
Good luck!

P.S. I had problem in past testing GVC from the same network as WAN interface. I am not sure if this is valid today.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question